Issued:
2005-10-26
Updated:
2005-10-26

RHSA-2005:805 - Security Advisory

Synopsis

pam security update

Type/Severity

Security Advisory: Low

Topic

An updated pam package that fixes a security weakness is now available for
Red Hat Enterprise Linux 4.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

Description

PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set an authentication policy without
having to recompile programs that handle authentication.

A bug was found in the way PAM's unix_chkpwd helper program validates user
passwords when SELinux is enabled. Under normal circumstances, it is not
possible for a local non-root user to verify the password of another local
user with the unix_chkpwd command. A patch applied that adds SELinux
functionality makes it possible for a local user to use brute force
password guessing techniques against other local user accounts. The Common
Vulnerabilities and Exposures project has assigned the name CVE-2005-2977 to
this issue.

All users of pam should upgrade to this updated package, which contains
backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

  • BZ - 168181 - CVE-2005-2977 unix_chkpwd helper doesn't verify requesting user if SELinux is enabled

CVEs

References

(none)

Red Hat Enterprise Linux Server 4

SRPM
pam-0.77-66.13.src.rpm SHA-256: 05eaf6b1fb5eb81d4f4a803bc0a862d98ac29b444aa6439aa14b04d7a5bf2199
x86_64
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.x86_64.rpm SHA-256: ecb7343fa99c09b4317a49aa7aa57e93d22b83bea18184fa5c1f6d16ca062f23
pam-0.77-66.13.x86_64.rpm SHA-256: ecb7343fa99c09b4317a49aa7aa57e93d22b83bea18184fa5c1f6d16ca062f23
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb
pam-devel-0.77-66.13.x86_64.rpm SHA-256: de71a91972ef3f701cbd25af3e039982417d6df705becd422a870db6eb5afcdc
pam-devel-0.77-66.13.x86_64.rpm SHA-256: de71a91972ef3f701cbd25af3e039982417d6df705becd422a870db6eb5afcdc
ia64
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.ia64.rpm SHA-256: c6e9c8a9bff201304de9a6ba7e1eda68b8f41182cf9ed0b533399d8fff6b6061
pam-0.77-66.13.ia64.rpm SHA-256: c6e9c8a9bff201304de9a6ba7e1eda68b8f41182cf9ed0b533399d8fff6b6061
pam-devel-0.77-66.13.ia64.rpm SHA-256: f9ffba4b0415b4416b1792cb97c3cedfe26f0fd8309e0c65e304cd5ad792a9e9
pam-devel-0.77-66.13.ia64.rpm SHA-256: f9ffba4b0415b4416b1792cb97c3cedfe26f0fd8309e0c65e304cd5ad792a9e9
i386
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb

Red Hat Enterprise Linux Workstation 4

SRPM
pam-0.77-66.13.src.rpm SHA-256: 05eaf6b1fb5eb81d4f4a803bc0a862d98ac29b444aa6439aa14b04d7a5bf2199
x86_64
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.x86_64.rpm SHA-256: ecb7343fa99c09b4317a49aa7aa57e93d22b83bea18184fa5c1f6d16ca062f23
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb
pam-devel-0.77-66.13.x86_64.rpm SHA-256: de71a91972ef3f701cbd25af3e039982417d6df705becd422a870db6eb5afcdc
ia64
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.ia64.rpm SHA-256: c6e9c8a9bff201304de9a6ba7e1eda68b8f41182cf9ed0b533399d8fff6b6061
pam-devel-0.77-66.13.ia64.rpm SHA-256: f9ffba4b0415b4416b1792cb97c3cedfe26f0fd8309e0c65e304cd5ad792a9e9
i386
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb

Red Hat Enterprise Linux Desktop 4

SRPM
pam-0.77-66.13.src.rpm SHA-256: 05eaf6b1fb5eb81d4f4a803bc0a862d98ac29b444aa6439aa14b04d7a5bf2199
x86_64
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-0.77-66.13.x86_64.rpm SHA-256: ecb7343fa99c09b4317a49aa7aa57e93d22b83bea18184fa5c1f6d16ca062f23
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb
pam-devel-0.77-66.13.x86_64.rpm SHA-256: de71a91972ef3f701cbd25af3e039982417d6df705becd422a870db6eb5afcdc
i386
pam-0.77-66.13.i386.rpm SHA-256: 10566ed7ddd4d9924c361dc85c59174c2a48fd22a2acbf5c4dbd8408c3028073
pam-devel-0.77-66.13.i386.rpm SHA-256: 547bbcace1086e8f8b159a8d31f7f0a637126a11e8f8ea2ebda4ba35da57c6cb

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
pam-0.77-66.13.src.rpm SHA-256: 05eaf6b1fb5eb81d4f4a803bc0a862d98ac29b444aa6439aa14b04d7a5bf2199
s390x
pam-0.77-66.13.s390.rpm SHA-256: 605076ae243545b8ce2c6b321fcfc4ec10da7903020bd143dcb16f4eb3ee2ecb
pam-0.77-66.13.s390x.rpm SHA-256: 44fdf7605776a3916ea04781743f9c479eee791eb19b93de17303906441a066d
pam-devel-0.77-66.13.s390.rpm SHA-256: b86ba6b3f21bb30ca0a8fbf7a9327ed62881f2ce241ec7e815498ade7f70019b
pam-devel-0.77-66.13.s390x.rpm SHA-256: ea59541c30a8ec6959144860c6c8a0227403a19e4ff7487fc0283fbc94cd564c
s390
pam-0.77-66.13.s390.rpm SHA-256: 605076ae243545b8ce2c6b321fcfc4ec10da7903020bd143dcb16f4eb3ee2ecb
pam-devel-0.77-66.13.s390.rpm SHA-256: b86ba6b3f21bb30ca0a8fbf7a9327ed62881f2ce241ec7e815498ade7f70019b

Red Hat Enterprise Linux for Power, big endian 4

SRPM
pam-0.77-66.13.src.rpm SHA-256: 05eaf6b1fb5eb81d4f4a803bc0a862d98ac29b444aa6439aa14b04d7a5bf2199
ppc
pam-0.77-66.13.ppc.rpm SHA-256: 2a9d95e4651338cf6054b0c12eacb58674439a69812220c317a78f90054b93c8
pam-0.77-66.13.ppc64.rpm SHA-256: aa846329f32a2cbba34ca1322a821663a2f45e77728532dcab7dc7f9355c9a3c
pam-devel-0.77-66.13.ppc.rpm SHA-256: 9b41e00d8b867d027a695c2e1ca4f526b7ecb706cf133b09994eb8483fd82952
pam-devel-0.77-66.13.ppc64.rpm SHA-256: 227c70713848ecefe304a3dc7a4e807f2aa03f3d228267e482beaf15b8848dbc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.